Uploaded by Patrick Go

System Post-Implementation Review Audit Program

advertisement
SYSTEM POST-IMPLEMENTATION REVIEW AUDIT
WORK PROGRAM
This audit program is designed to assess the usage, supporting information technology processes, and
infrastructure for [System]. Additionally, this document will assist with limited testing of the system and its
interface operational effectiveness.
OBJECTIVES
•
Confirm the company’s current resource utilization with key users to verify that it is meeting the intended
business needs, to identify potential improvement opportunities, and to validate key areas of risk/concern.
•
Verify that access to the application is appropriately restricted, that only authorized personnel have physical
access to the resources on which the application resides, and that users are aware of their responsibilities.
•
Verify that data processing and interface utilization procedures help ensure the continued integrity of the data
utilized by the application. Additionally, verify that resources required by the application are readily available.
•
Verify that the ability to make changes to company and/or supporting infrastructure is appropriately restricted
and that modifications follow defined change control procedures.
•
Verify that the company has appropriately incorporated data backup, business continuity and disaster recovery
procedures.
IN-SCOPE ENTITIES
•
Name
•
Name
•
Name
KEY CONTACTS
THE SYSTEM
•
Name
•
Name
•
Name
•
Name
THE SYSTEM
•
Name
•
Name
•
Name
•
Name
THE SYSTEM
•
Name
•
Name
•
Name
1
Source: www.knowledgeleader.com
•
Name
INTERNAL AUDITOR
•
Name
•
Name
•
Name
•
Name
TIMING:
•
Hours allocated: #
•
Fieldwork will commence the week of Date and will conclude the week of Date.
•
A report will be issued for management action plan responses no later than Date.
•
Audit report findings will be presented to the audit committee during the Date meeting.
General and/or Administrative
•
Meet with key contacts to gain a high-level understanding of the process and discuss audit
objectives.
•
Prepare/finalize the audit work program and timing.
•
Conduct detailed planning and schedule meetings.
•
Execute audit procedures.
•
Perform quality assurance and quality control activities.
•
Prepare final deliverables.
•
Perform follow-up, contingency and other administrative tasks.
Audit Procedures
Objective A:
Confirm the company’s current system utilization with key users to verify that it is meeting the
intended business needs, to identify potential improvement opportunities, and to validate key
areas of risk/concern.
Procedures:
2
•
Identify the intended business goals for the system along with any applicable metrics being
utilized to monitor business activities.
•
Identify key system users at each of the in-scope facilities.
•
Conduct information-gathering interview(s) with a selected sample of users to gain a baseline
understanding of their current utilization of the system.
•
Identify instances in which the system is not currently being used as intended.
•
Conduct discussions with key users to identify potential improvement opportunities based on
desired enhancements and efficiency/utilization concerns and to compare alignment with
intended business goals.
•
Identify potential areas of risk/concern based on the usage of the system outside or deficient of
the intended business need.
Source: www.knowledgeleader.com
Objective B:
Verify that access to the system is appropriately restricted, that only authorized personnel
have physical access to the resources on which the system resides, and that users are
aware of their responsibilities.
Procedures – Logical Access to Resources:
•
Identify individuals with security administration responsibilities over the system.
•
Through discussions with the identified individuals, identify the process by which access to the
system is managed. Ensure that access set up and modification is appropriately authorized,
terminations are performed in a timely manner, and rights are periodically reviewed for
appropriateness.
•
Determine the ability of users to access the system remotely and ensure that access is
appropriately restricted to authorized personnel.
•
Obtain documentation of specific password parameters utilized for both network and application
access. Determine whether parameters appropriately prevent unauthorized access to the
system.
•
Obtain a list of current users and validate, on a sample basis, appropriateness with select
departmental leadership at each sampled facility.
Procedures – Physical Access to Resources:
•
Determine the location of key system technology infrastructure and verify that access is limited
to authorized personnel.
•
Confirm that a formal process is in place for managing access rights for the identified location.
Procedures – User Awareness of Responsibilities:
•
Identify training, education and awareness initiatives in place to ensure that users are aware of
their responsibilities and to safeguard access to the application as well as standards for its
acceptable use.
Objective C:
Verify that data processing and interface utilization procedures help ensure the continued
integrity of the data utilized by the application. Additionally, verify that resources required by
the application are readily available.
Procedures:
•
Identify individuals with responsibilities over the system for managing data processing and
interface resources.
•
Through discussions with the identified individuals, identify the method(s) by which data is
processed, manipulated, and/or transferred to and received from other systems. Evaluate each
of the following, to the extent applicable, for reasonableness:
− User access to batch processing interfaces.
− Error detection reporting capabilities (e.g., transaction rollback) and review procedures.
− Performance of data integrity checks.
3
•
Perform limited testing, on a sample basis, of system and interface operational effectiveness.
•
Review methods used to monitor system performance and availability to ensure that resources
required by the application are readily available. Additionally, determine consistency with
established service-level agreements (as applicable).
•
Identify the support processes (e.g., help desk function) for exception handling and error
reporting to ensure that issues are resolved in a timely manner.
Source: www.knowledgeleader.com
Objective D:
Verify that the ability to make changes to the system and/or supporting infrastructure is
appropriately restricted and that modifications follow defined change control procedures.
Procedures:
•
Identify individuals with change control responsibilities over the system.
•
Through discussions with the identified individuals, request and obtain existing change control
documentation and identify the process(es) in place for the following:
− Identifying and approving necessary changes.
− Prioritizing changes.
− Quality assurance testing (e.g., user-acceptance testing).
− Segregation of duties (e.g., developer access to production).
− Reconciling documented changes with those implemented.
− Emergency procedures (e.g., retro-approval process).
− Rollback procedures.
− End-user involvement and communication.
Objective E:
Verify that the system has been appropriately incorporated into existing data backup,
business continuity and disaster recovery procedures.
Procedures:
•
Identify individuals with data backup, business continuity and disaster recovery responsibilities
over the system.
•
Through discussions with the identified individuals, determine the coverage of existing data
backup procedures to ensure that the system is appropriately addressed in the following areas:
− Identification of critical data.
− Backup schedule (including types of backups performed).
− Rotation schedule.
− Critical recovery timeframes.
− Data gap analysis (i.e., how much data was “lost” since the last backup).
− Data integrity validation (e.g., mock restores, etc.).
•
Confirm the location in which data backups are stored to ensure that access is restricted to
authorized personnel (both physically and logically) and that data backup sets are appropriately
protected.
•
Identify training, education and awareness initiatives in place to ensure that users assigned to
data backup tasks are aware of their responsibilities.
•
Identify environmental controls in place to safeguard the location of key system technology
infrastructure.
•
Determine the extent to which formal business continuity and/or disaster recovery processes
exist and ensure that coverage has been updated to address business needs. Evaluate the
following for reasonableness:
− The existence of formal process(es) and the extent to which the system is addressed.
− The system’s ability to recover critical application resources.
− Third-party/vendor arrangements.
− Periodic testing/employee awareness.
4
Source: www.knowledgeleader.com
Download